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ING WITH DATA SYSTEMS 

(57) Abstract 

In an apparatus (10, 49) communi- 
cating with a high secrecy and high securi- 
ty on-line verification data system (40) 
and an off-line verification data system 
(1 8) of a lower secrecy and security level, a 
person in possession of a card (21, 22, 23, 
24) inputs the card into the apparatus (10, 
49). The data are read from the card and 
input to a security module (50) of the ap- 
paratus. On the basis of the data read from 
the card, the apparatus (10, 49) identifies 
the card as a card belonging to the on-line 
or the off-line data system. Within the sec- 
urity module (50), a keyboard (46) is ar- 
ranged, on which the person in possession 
of the card inputs a personal authentifica- 
tion code into the security module. Pro- 
vided the card has been identified as a 

card belonging to the on-line data system (40), the data read from the card (21) and the code input by means of the key- 
board (46) are encrypted using an encryption algorithm stored in a first storage means of the security module (50) and are 
output to the on-line da ta system (40), within which the authenticity of the person in possession of the card is verified. Pro- 
vided the card has been identified as a card belonging to the off-line data system (18), the data read from the card (22, 23 r 
24) are compared to the code by employing a verification algorithm, stored in a second storage means of the security mo- 
dule (50), in a comparator of the security module (50). As a result of the comparison within the comparator an authenticity 
code or f alternatively, a non-authenticity code is output to the off-line data system, exclusively. . 
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1 

AN APPARATUS COMMUNICATING WITH DATA SYSTEMS AND A 
METHOD OF COMMUNICATING WITH DATA SYSTEMS 

BACKGROUND OF THE INVENTION 

. In the prior art, several apparatuses, systems etc/ have been devel- 
5 oped for identifying a cardholder or for verifying the cardholder s 
authenticity relative to a data system on the basis of data read from 
or originating from data read from the cardholder's card by a card 
reading terminal and on the basis of a code input by the cardholder 
and known by the legal cardholder exclusively. 

10 Among these known systems, some carry out the authenticity verifi- 
cation on-line, while others carry out the authenticity verification 
off-line. In an on-line system, it is customary to encrypt the data 
read from or originating from the data read from the card and the 
code input by the cardholder, and to transmit the encrypted data and 
15 the encrypted code to a remote central processing unit. In the central 
processing unit, the encrypted data and the encrypted code are 
compared in an encrypted or in a de-encrypted state, to determine 
whether the cardholder, i.e. the person in possession of the card in 
question, is positively identified as the legal cardholder. In an off- 
20 line system, the data and the code are compared to one another in 
the card reading terminal, in an encrypted state or in a non-encryp- 
ted state for carrying out the positive identification of the cardholder 
relative to the card. After a positive identification of the cardholder, 
the system may allow a transaction of a sum of money to or from an 
25 account identified by the card and the cardholder, alJow access for 
the cardholder to a carefully locked territory, region or zone, or 
dispense objects, articles, etc. to the cardholder in a predetermined 
amount, i.e. determined by the data of the card, or alternatively in 
an amount determined by the cardholder by input of a number cor- 
30 responding to the amount in question. 

The card may be an optically readable card, i.e. a card having light 
transparent and light intransparent areas, such as cards having 
transparent windows; it may be a mechanically readable card having 
mechanical data identifying means, e.g. punched areas; it may be a 
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magnetic card having magnetic zones or magnetic strips in which the 
data are recorded; or it may be an active or electronic card having 
integral electronic storage means which are connected to the reading 
terminal through electronic connection means. Alternatively, the card 
5 may be a combined optically, mechanically, magnetically readable and 
electronic card. However, it has become customary to employ cards 
having magnetic strips arranged thereon together with a name or 
symbol identifying the card system or data system, such as cards 
conforming to among others the ISO Standard 2894 (international 
10 * Organization of Standardization), also known as ISO cards. 

As still more functions are automatied and still more card systems are 
issued, there is a need for an apparatus which renders it possible to 
identify different card or data systems and to provide communication 
to the correct data system. First of alJ, this need has a conveniency 

15 aspect as a person may purchase goods by means of several different 
machine readable- cards, such as a card, conventionally a credit card, 
issued by the company or the firm in question, a credit card issued 
by a credit card organisation, such as a Diners Club Card, a Euro- 
card, etc., or a card such as a debit, card, e.g. a card issued by a 

20 batik organisation, such as the "Dankbrt System". However, apart 
from the conveniency aspect of providing a single apparatus for 
reading cards issued by different card issuing organ isations, a very 
important security aspect is also involved therein. 

Basically, the different organisations- or data systems have different 
25 levels of data secrecy and data security; as mentioned above, some 
data systems verify the authenticity of the cardholder or the person 
in possession of the card on-fine, others carry out the verification 
off-line, while in some data systems, the verification is carried out 
semi-on-line in that the data* are read from the card and output to a 
30 verification block together with the secret code input by the cardhol- 
der. Conventionally, this verification block is included in a so-called 
,r back office computer". As the transmission from the card reading 
terminal to the back office computer or verification block may very 
easily be tapped, a coherent set of data and code, read from the card 
35 and input by the cardholder, respectively, may be tapped. Conse- 
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quently, the person tapping the transmission may provide a false 
copy of the card and use this false copy as a legal card as the secret 
code has been exposed to him. Therefore, as some card and data 
systems involve high secrecy and high security, there is a risk that 
5 a high secrecy and high security card may inadvertently be presented 
to a low secrecy and low security* terminal by the legal cardholder, 
who also inputs the secret code to this low secrecy and low security 
terminal which exposes the information, i.e. the data of the card and 
the secret code. 

10 Apart from the above risk of inadvertently presenting the card data 
and the secret code known to the legal cardholder exclusively, a false 
or dummy terminal provided by a person who wants to tap coherent 
sets of data and code by means of the dummy terminal and having 
identifications corresponding to the high secrecy and high security 

15 card system could also expose the card data and the secret code, 
especially in cases where several card reading terminals of different 
organisations are arranged side by side. 

It is believed that the provision of a single apparatus communicating 
with the different data systems is of the utmost importance for ob- 
20 taining a high Secrecy and high security level as the possibility of 
confusing the cardholder is minimized when the possibility of pro- 
viding a trustworthy copy or dummy terminal is reduced. 

However, a simple apparatus communicating with different data sy- 
stems, for reading data from a data carrying card and for transmit- 

25 ting the data and the code input by the cardholder to the different 
data systems can in itself provide transparency to the high secrecy 
and high security data system from a low secrecy and low security 
data system as the apparatus very easily may be falsely controlled 
into a mode in which the data read from the high secrecy and high 

30 security card together with the corresponding code are output to a 
low security and low secrecy data system. 

Therefore, there is a need for an apparatus communicating with more 
than one data system for obtaining the above discussed security 
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• advantages offered by a combined apparatus, however, still elimina- 
ting the risk of providing transparency to a high security and high 
secrecy data system from a low secrecy and low security data system. 

SUMMARY OF THE INVENTION 

5 This need is fulfilled by an apparatus according to a first aspect of 
the invention and communicating with at least two different data sy- 
stems, for receiving data originating from data read from a data 
carrying card, for receiving a card identifying signal positively 
identifying the card as a card belonging to a first data system, or 
10 alternatively, as a card belonging to a second data system, and for 
transmitting the data originating from the data- read from the card to 
a first of said data systems, or. alternatively, for verifying the au- 
thenticity of a person in possession of the card relative to a second 
of said data systems, comprising: 

15 a data input means for receiving the data originating from the 

data read, from the card and for receiving the card identifying signal, 

an input means for input of a personal authentication code, 

a first storage means for storing a first encryption algorithm and 
a transmission protocol, 

20 a second storage means for storing a verification algorithm, 

an encryption means, controlled by the data input means and the 
first storage means, for encryption of the data and the code, so that, 
provided the card is identified as a card belonging to the first data 
system, the data originating from the data read from the card and the 
25 code are encrypted by employing the first encryption algorithm stored 
in the first storage means, and are output to the first data system 
controlled by the transmission protocol stored in the first storage 
means, and 



a comparator means, controlled by the data input means and the 
second storage means, for comparing the data originating from the 
data read from the card and the code, so that, provided the card is 
identified as a card belonging to the second data system, an authenti- 
5 city code is supplied to the second data system in case the data 
originating from the data read from the card are verified in relation 
to the code by employing the verification algorithm stored in the 
second storage means, or alternatively, a non-authenticity code is 
supplied to the second data system in case the data originating from 
10 the data read from the card are not verified in relation to the code 
by employing the verification algorithm stored in the second storage 
means* 

The concept of the present invention eliminates the risk of providing 
transparency to the first data system or the high secrecy and high 
15 security data system from the second data system or the low secrecy 
and low security data system, as, on the one hand, regarding the 
first data system, i.e. the high secrecy and high security data sy- 
stem, the personal authentication code is output to the first data- 
system, in an encrypted state exclusively, which in itself guarantees 
20 the high security and high secrecy level, and on the other hand, 
regarding the second data system, i.e. the low secrecy and low 
security data system, the personaf authentication code is compared to 
the data originating from the data read from the card exclusively in 
the comparator means, and the code input by means of the input 
25 means is under no circumstances output to the second data system, as 
the authenticity code or the non -authenticity code is output thereto 
exclusively. Furthermore, a coherent set of data originating from the 
data read from the card and code is under no circumstances output to 
the second data system. 

30 In the present context, the expression "data originating from the data 
read from a card" means the data themselves read from the card or 
any offset or processed version of the data read from the card. 
Thus, the data which are received by the data input means of the 
apparatus according to the invention may constitute the data them- 

35 selves read from the card or any offset or processed version of the 
data read from the card. 
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In accordance with a first embodiment of the invention, the apparatus 
may comprise a further encryption means, a second encryption algo- 
rithm further being stored in the second storage means, and the 
further encryption means being controlled by the data input means 
and the second storage means, so that, provided the card is identi- 
fied as a card belonging to the second data system, the data origina- 
ting from the data read from the card and the code are encrypted in 
the further encryption means by employing the second encryption 
algorithm stored in the second storage means prior to the comparison 
of the data and the code in the comparator means. 

As an individual encryption means is employed for encrypting the 
data originating from the data read from the card and the code in 
relation to the first data system, and as the data and the code are 
further encrypted by employing a respective encryption algorithm 
prior to the yerification in relation to the second data system, the 
intransparency is further increased, since the possibility of breaking 
the encryption code of the first data system, based on knowledge of 
the encryption, and verification procedure involved in verifying the 
authenticity of the person in possession of the card in relation to the 
second data system, is eliminated. 



In accordance with the teachings of the present invention, the appa- 
ratus may further be adapted to communicate with three or more data 
systems without providing transparency to the high security and high 
secrecy data system from the low secrecy and low security data 
25 systems. In this embodiment of the invention, the apparatus further 
comprises a third storage means for storing a further verification 
algorithm, the card identifying signal further positively identifying 
the card as a card belonging to one of said three or more data sy- 
stems, and the' comparator means further being controlled by the data 
input means and the third storage means, for comparing the data 
originating from the data read from the card, so that, provided the 
card is identified as a card belonging to the third data system, an 
authenticity code is supplied to the third data system in case the data 
originating from the data read from the card are verified in relation 
to the code by employing the verification algorithm stored in the third 
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storage means, or alternatively, a non-authenticity code is supplied to 
the third data system in case the data originating from the data read 
from the card are not verified in relation to the code by employing 
the verification algorithm stored in the third storage means. 

5 In this embodiment of the invention, in which the apparatus communi- 
cates with three or more data systems, the security or secrecy level 
may be further increased, as explained above A in an embodiment, in 
which the apparatus comprises a still further encryption means, a 
third encryption algorithm further being stored in the third storage 
10 means, the still further encryption means being controlled by the data 
input means and the third storage means, so that, provided the card 
is identified as a card belonging to the third data system, the data 
originating from the data read from the card and the code are en- 
crypted in the still further encryption means by employing the second 
15 encryption algorithm stored in the second storage means prior to the 
comparison of the data and the code in the comparator means. 

In the above described embodiment of the invention, in which the 
data originating from the data read from the card and the code input 
by means of the input means are encrypted prior to the comparison of 
20 the data and the code in the comparator means, provided the card is 
identified as a card belonging to the second data system, or as a 
card belonging to the third data system, the encryption means com- 
prising the first mentioned encryption means, the further encryption 
means and the still further encryption means may be constituted by 
25 discrete or individual encryption means implemented by software or 
hardware. However, the incryption means, i.e. the first encryption 
means, the further encryption means and the still further encryption 
means, may be constituted by a single encryption means. 

Apart from the need of providing an apparatus communicating with at 
30 least two different data systems which eliminate the risk of providing 
transparency to the high security and high secrecy data system from 
the low secrecy and low security data system, there is a need for an 
apparatus communicating with at least two high security and high 
secrecy data systems which eliminates the possibility of obtaining 
35 transparency to one of the data systems from the other. 
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This need is fulfilled by an apparatus according to a second aspect of 
the present invention and communicating with at least two different 
data systems, for receiving data originating from data read from a 
data carrying card, for receiving a card identifying signal positively 
identifying the card as a card belonging to a first data system, or 
alternatively, as a card belonging to a second data system, and for 
transmitting the data originating from the data read from the card to 
a first of said data systems, or alternatively, to a second of said data 
systems, comprising: 

a data input means for receiving the data originating from the 
data read from the card and for receiving the card identifying signal, 

an input means for input of a personal authentication code, 

a first storage means for storing a first encryption algorithm and 
a first transmission protocof, 

a second storage means for storing a second encryption algorithm 
and a second transmission protocol, 



an encryption means for encryption of the data originating from 
the data read from the card and the code, the encryption being 
controlled by the data input means and a respective of the first and 
second storage means, so that, provided the card is identified as a 
card belonging to the first data system, the data originating from the 
data read from the card and the code are encrypted by employing the 
first encryption algorithm stored in the first storage means, and are 
output to the first data system controfled by the first transmission 
25 protocol stored in the first storage means, or alternatively, provided 
the card is identified as a card belonging to the second data system, 
the data originating from the. data read from the card and the code 
are encrypted by employing the second encryption algorithm stored in 
the second storage means, and are output to the second data system 
controlled by the second transmission protocol stored in the second 
storage means. 
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As the coherent set of data originating from the data read from the 
card and personal authentication code is output to a respective data 
system in an encrypted state which in itself guarantees the high 
secrecy and high security level of the data system in question, an 
5 erroneous output of a coherent set of data and code to an erroneous 
data system does not expose the personal authentication code to a 
third party, however, the coherent set of data and code of the one of 
the data systems is exposed to the other data system, in case the 
coherent set of data and code of one of the data systems is errone- 
10 ously output to the other data system. Therefore, in this aspect of 
the present invention, the data systems are transparent to one ano- 
ther and also dependent on one another as- the secrecy and security 
level of one of the data systems is dependent on the other. 

As in accordance with the first aspect of the present invention the 
15 security or secrecy level may be further increased in an embodiment 
comprising a further encryption means, a first of said encryption 
means being controlled by the data input means and the first storage 
means, so that, provided the card is identified as a card belonging to 
the first data system, the data originating from the data read from 
20 the card and the code are encrypted in the said first encryption 
means, and a second of said encryption means being controlled by the 
data input means and the second storage means, so that, provided 
the card is identified as a card belonging to the second data system, 
the data originating from the data read from the card and the code 
25 are encrypted in the said second encryption means. 

In accordance with the teachings of the present invention, the appa- 
ratus may further be adapted to communicate with three or more data 
systems, and further comprising a third storage means for storing a 
third encryption algorithm and a third transmission protocol, the card 

30 identifying signal further positively identifying the card as a card 
belonging to one of said three or more data systems, and the encryp- 
tion means further being controlled by the third storage means, so 
that, provided the card is identified as a card belonging to the third 
data system, the data originating from the data read from the card 

35 and the code are encrypted by employing the third encryption algo- 
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rithm stored in the third storage means, and are output to the third 
data system controlled by the third transmission protocol stored in 
the third storage means. 

As explained above, the intransparency is increased, provided an 
individual encryption means is employed in connection with the indivi- 
dual data systems. Therefore, the apparatus communicating with three 
or more data systems may further comprise a third encryption means, 
the third encryption means being controlled by the data input means 
and the third storage means, so that, provided the card is identified 
as a card belonging to the third data system, the data originating 
from the data read from the card and the code are encrypted in the 
third encryption means. 

Apart from an apparatus communicating with three or more high 
security and high secrecy data systems, an apparatus, combining the 
teachings of the above aspects of the present invention, may be pro- 
vided, i.e. an apparatus communicating with at least two high secu- 
rity and high secrecy data systems and one or more low secrecy and 
low security data systems and further comprising a third storage 
means for storing a verification algorithm, and a comparator means, 
the card identifying signal further positively identifying the card as a 
card belonging to one of the three or more data systems, and the 
comparator means being controlled by the data input means and, the 
third storage means, for comparing the data originating from the data 
read from the card and the code, so that, provided the card is 
identified as a card belonging to the third data system an authenticity 
code is supplied to the third data system in case the data originating 
from the data read from the card are verified in relation to the code 
by employing the verification algorithm stored in the third storage 
means, or alternatively, a non -authenticity code is supplied to the 
third data system in case the data originating from the data read from 
the card are not verified in relation to the code by employing the 
verification algorithm stored in the third storage means. 

In the above embodiments of the invention of an apparatus commun- 
cating with three or more data systems, the apparatus may, as ex- 
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plained above, advantageously comprise a third encryption means, a 
third encryption algorithm further being stored in the third storage 
means, the third encryption means being controlled by the data input 
means and the third storage means, so that, provided the card is 
5 identified as a card belonging to the third data- system, the data 
originating from the data read from the card and the code are en- 
crypted in the third encryption means by employing the third encryp- 
tion algorithm stored in the third storage means prior to the compa- 
rison of the data and the code in the comparator means. 

10 The embodiments of the invention described above may further com- 
prise an identifying means for receiving the data originating from the 
data read from the data carrying card, and for generating the card 
identifying signal positively identifying the card as a card belonging 
to a respective of the data .systems or as a card belonging to neither 

15 of the data systems. As the apparatus in accordance with this em- 
bodiment of the invention generates the card identifying signal on the 
basis of the data read from the card, the possibility of controlling the 
apparatus • into a mode, in which a card and a coherent code are 
encrypted by employing an erroneous encryption algorithm or an 

20 erroneous encryption means, is reduced. 

Alternatively, the embodiments of the invention described above may 
in the place of the identifying means comprise a simple manually 
operable switching means, which is simply activated by the person in 
possession of the card, who is about to input a personal authentica- 

25 tion code into the apparatus. Although the person, by erroneously 
activating the switching means, may turn the apparus into a mode, in 
which the data read from the card and the code input by the person 
are processed as if the data and the code belong to the low security 
and low secrecy data system, although the data and the code actually 

30 belong to the high security and high secrecy data system, a coherent 
set of data and code is under no circumstances exposed by the low 
secrecy and low security data system as the apparatus according to 
the invention supplies a non -authenticity code, or alternatively, 
under extreme and highly improbable conditions, an authenticity 
35 code to the low security and low secrecy data system. 



WO 85/04742- 



PCT/DK85/00032 



12 

In a further embodiment of the apparatus according to the invention, 
comprising an integral identifying means, a reading means for reading 
the data from the data carrying card is further included. Conse- 
quently, a self-contained apparatus for reading the data from the 
5 data carrying card and for transmitting the data and/or verifying the 
authenticity of the person in possession of the card has been provi- 
ded. 

In accordance with the preferred embodiments of the apparatus ac- 
cording to the invention, a temporary storage means is provided for 
10 temporarily storing the data read from the card and the personal 
authentication code, until the conclusion of the transmission of data 
from the apparatus of the data systems or the conclusion of the 
verification of the authenticity of the person in possession of the 
card. 

T5 In order to render it possible to have the apparatus according to the 
invention receive a reply from the said first data system, the reply 
constituting a authenticity verification or a non -authenticity verifica- 
tion as the result of the verification procedure carried out in the 
central processing unit of the said first data system, the apparatus 

20 according to the invention may further comprise a data receiving 
means for receiving, data from the data systems. 

Furthermore, the apparatus according to the invention may comprise a 
random number generator means, a random number generated by the 
random number generator means being stored in the temporary sto- 

25 rage means and input to the encryption means together with the data 
to be encrypted therein and further being output to the said first 
data system together with the data output thereto. By combining a 
random number, the data and the code and further encrypting the 
combination, the possibility of breaking the encryption code is further 

30 reduced as the randomly generated number obviously alters the en- 
crypted data in an unpredictable manner. 

In an on-line verification system, an authenticity code is normally, as 
explained above, transmitted from the central processing unit of the 
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data system to the apparatus or terminal after the central processing 
unit has concluded the on-line verification. In the above embodiment 
of the apparatus according to the invention including the random 
number generator means, a further comparator means for comparing 
5 the data transmitted thereto from the said first data system and the 
random number stored in the temporary storage means may be provi- 
ded. In this embodiment, the authenticity code transmitted from the 
central processing unit of the on-line verification data system is 
constituted by the random number which has been transmitted to the 
10 central processing unit together with the data and the code in an 
encrypted state. As the authenticity code is constituted by the ran- 
dom number which is obviously altered randomly, the transmission of 
the authenticity or non-authenticity code to the apparatus from the 
central processing unit of the data system may be carried out in plain 
15 text, i.e. in a non -encrypted state. 

In order to render it impossible to tap the apparatus, i.e. to elimi- 
nate the possibility of provfding an output of codes and data by 
means of highly sensitive electronic listening equipment, and further 
eliminate the possibility of exposing details of the apparatus regarding 
the construction and the functions thereof and data, such as the 
temporarily stored random number generated by the random number 
generator means and the personal authentication code, stored therein, 
by exposing the apparatus to radiomagnetic radiation, especially 
X-rays and/or by demounting the entire apparatus, it is preferred 
that the apparatus according to the invention comprises a radiopaque, 
tamper- and tappingproof housing enclosing in the above first and 
second aspects of the present invention at least the data input means, 
the input means, the storage means, the encryption • means, the com- 
parator means, the temporary storage means, the further comparator 
means and the random number generator means and the data input 
means, the input means, the storage means, the encryption means, 
the temporary storage means, the further comparator means and the 
random number generator means respectively. The radiopaque, tam- 
per- and tappingproof housing may, as is well known in the art, be 
provided by a housing comprising radiopaque component, magnetic 
and electric shielding components, and mechanical high-strength 
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components, such as lead and stainless steel plates. For providing a 
tamperproof housing, a casting may be provided encasing the elec- 
tronic components of the apparatus . within the housing, and the 
casting may comprise high strengh elements such as ceramic or metal- 
5 lie particles or strips, which, when exposed to mechanical treatment, 
ruins the casting and disconnects and destroys vital parts of the 
apparatus, such as the storage means. Furthermore, the radiopaque, 
tamper- and tapping-proof housing may include light, vibration 
and/or shock detecting sensors, which, as is well known in the art, 
10 erases the storage means when exposed to light, vibrations or 
shocks . 

Although the encryption means may be adapted to carry out any 
encryption algorithm involving secret or public keys, such as a PKC 
algorithm (public-key cryptography), in which a public key is em- 
15 ployed for encryption and a secret key is employed for decrypting 
the encrypted data and the encrypted code, it is presently preferred 
that the encryption means are adapted to carry out the DES encryp- 
tion and the respective storage means comprise a respective DES 
encryption key .(DES: data encryption standard). DES is a NBS 

20 (National Bureau of Standards) approved encryption algorithm con- 
sisting of an initial permutation, 16 identical: partial algorithms named 
rounds, a swopping of the left hand and the right-hand halves to 
ease decryption, and an inverse initial permutation. In each round a 
64 bit word is substituted by another 64 bit number controlled by a 

25 48 bit key which is further derived from an original 56 bit key. The 
DES encryption provides a high level of secrecy and security and has 
been implemented in hardware. 

The input means -of the apparatus which are adapted to input the 
personal authentication code may be of any appropriate kind, how- 

30 ever, preferably of a kind which provides secrecy to the step of 
inputting the secret personal authentication code. The input means 
may be an optical reading means which is adapted to read a person's 
finger print or other biological characteristics and to transform this 
optically or otherwise readable information into a code. However, in 

35 the presently preferred embodiment of the invention, the input means 



WO 85/04742 



15 

is a keyboard, such as a numeric keyboard, an alpha-numeric key- 
board or an hexadecimal keyboard for input of a personal identi- 
fication code (PIN) having any appropriate number of digits or cha- 
racters or any combination thereof, In the presently preferred em- 
5 bodiment, the personal identification number is a decimal number 
comprising four digits. 

Normally, the transmission of the data and the code in an encrypted 
state to the data system is a first step in an on-line verification of 
the cardholder's authenticity relative to the data system in question 
10 and relative to the card, whereafter a sum of money is transferred to 
or from the authorized cardholder's account. The number indicating 
the sum of money has to be input to the apparatus and further 
transmitted to the data system in question. The number indicating the 
sum of money is, however, preferably input from a further input 
15 means to the encryption means together with the data to be encrypted 
therein and are output to the respective data system together with 
the data output thereto. By providing an individual or further input 
means for input of the number to the encryption means instead of 
inputting the number by means of the numeric keyboard of the appa- 
20 ratus, a further secrecy and security advantage is obtained as the 
numeric keyboard is reserved for the input of the personal authenti- 
cation code or personal identification number exclusively. Consequent- 
ly, the risk of inadvertently exposing the personal authentication 
code to a third party by inadvertently inputting the personal authen- 
25 tication code instead of the sum of money which, as is well known in 
the art, is displayed to the person by a display means, is reduced, 
as the input means for inputting the sum of money into the appara- 
tus, is separated from the input means for inputting the personal 
authentication code into the apparatus. Normally, the individual or 
30 further input means for receiving the number indicating the sum of 
money to be transferred, is connected to an external apparatus such 
as a cash register, which provides the number. 

In the presently preferred embodiment of the invention, the apparatus 
further comprises a control means for controlling the overall function 
35 of the apparatus. By providing a controlling means, it is rendered 
possible to control the function of the apparatus autonomously so that 
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in case a minor routine or function of the apparatus is ruined or 
malfunctioning, the apparatus is turned down, thus eliminating the 
possibility of erroneousfy transmitting data and codes to an erroneous 
data system and/or in an erroneous state, e.g. in a non-encrypted 
5 state. 

.* 

The control means may advantageously be a microprocessor means 
which renders it possible to carry out a great number of check and 
control routines, such as controlling or checking the internal software 
of the apparatus and thus contains a high control complexity, 

10 In the above embodiments of the invention, the storage means may be 
constituted by PROMs (programmable read only memories) or consti- 
tuted by ROMs (read only memories), and the temporary storage 
means may advantageously be constituted by a RAM (random access 
memory), which is very easily erased in case an intrusion is attempt- 

15 ed, as discussed above. 

In the above described self-contained apparatus comprising the iden- 
tifying means and reading means, the reading means may advantage- 
ously be a magnetic card reading means comprising a magnetic head 
assembly. In this embodiment of the invention, the apparatus is 
20 adapted to receive and read data from conventional magnetic cards. 

In accordance with a third aspect, the present invention provides a 
method of communicating with at least two different data systems, of 
receiving data originating from data read from a data carrying card 
and of transmitting the data originating from the data read from the 
25 card to a first of said data systems, or alternatively, of verifying the 
authenticity of a person in possession of the card relative to a second 
of said data systems, comprising: 

receiving the data originating from the data read from the card, 

identifying the card on the basis of the data received from the 
30 reading means, as a card belonging to the first data system, as a 
card belonging to the second data system, or as a card belonging to 
neither of the data systems, 
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inputting a personal authentication code, 

encrypting the data originating from the data read from the card 
and the code, provided the card is identified as a card belonging to 
the first data system, the data originating from the data read from 
5 the card and the code being encrypted by employing ah encryption 
algorithm, and being output to the first data system controlled by a 
transmission protocol, and 

comparing the data originating from the data read from the card 
and the code, provided the card is identified as a card belonging to 

10 the second data system, an authenticity code being supplied to the 
second data system in case the data originating from the data read 
from the card are verified in relation to the code by employing a 
verification algorithm, or alternatively, a non-authenticity code being 
supplied to the second data system in case the data originating from 

15 the data read from the card are not verified in relation to the code 
by employing the verification algorithm. 

In accordance with a fourth aspect, the present invention provides a 
method of communicating with at least two different data systems, of 
receiving data originating from data read from a data carrying card 
20 and of transmitting the data originating from the data read from the 
card to a first of said data systems, or alternatively, of transmitting 
the data to a second of said data systems, comprising: 

receiving the data originating from the data read from the card, 

identifying the card on the basis of the data received from the 
25 reading means, as a card belonging to the first data system, as a 
card belonging to the second data system, or as a card belonging to 
neither of the data systems, 

inputting a personal authentication code, and 

encrypting the data originating from the data read from the card 
30 and the code, so that, provided- the card is identified as a card 
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belonging to the first data system, the data originating from the data 
read from the card and the code are encrypted by employing a first 
encryption algorithm, and are output to the first data system con- 
trolled by a first transmission protocol, or alternatively, so that, 
5 provided the card is identified as a card belonging to the second data 
system, the data originating from the data read from the card and the 
code are encrypted by employing a second encryption algorithm, and 
are output to the second data system controlled by a second trans- 
mission protocol. 

10 BRIEF DESCRIPTION OF THE DRAWING 

The invention will now be further described with reference to the 
drawing, wherein, 

Fig. 1 is an overall, perspective view of a customer operable appara- 
tus constituting the presentfy preferred embodiment of an apparatus 
15 according to the invention and communicating with two different data 
systems, one of which is a high secrecy and high security data 
system, and one of which is a low secrecy and low security data 
system, 

Fig. 2 is an overall, perspective view of an operator operable appara- 
20 tus communicating with the apparatus of Fig. 1 , 

Fig. 3 is an overall, diagrammatical view of three different applica- 
tions of an apparatus according to the invention, 

Fig. 4 is a diagrammatical view of the preferred embodiment of an 
apparatus according to the invention, 
25 Fig. 5 is a diagrammatical view of an alternative embodiment of an 
apparatus according to the invention, 

Fig. 6 is a sectional view of a security module of an apparatus ac- 
cording to the invention, and 

Fig. 7 is a diagrammatical view illustrating the high secrecy and high 
security encryption and decryption in an on-line data system. 

DETAILED DESCRIPTION OF THE DRAWING 

In the left-hand side of Fig. 3, two different applications of an appa- 
ratus 10 according to the invention are shown, and in the right-hand 
side of Fig. 3 a third application of an alternative embodiment or 
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implementation of an apparatus according to the invention is shown 
together with a high secrecy and high security, on-line verification 
data system, illustrated by the broken line block, designated 40. In 
its first application shown within a broken line block 12, the appara- 
5 tus 10 communicates with a conventional cash register 14 through a 
two-way data transmission line 16. The cash register 14 further 
communicates with a so-called back office computer 18 through a data 
transmission line 20. In the back office computer 18, the transactions 
of the cash register 14 together with the transactions of other cash 
10 registers, corresponding to the cash register 14 shown in Fig. 3, are 
registered. The back office computer 18 and the individual cash 
registers 14 may together constitute an on-line, an off-line or a 
semi-on-line data system, as is well known within the business compu- 
ter field. 

15 The apparatus 10 is adapted to receive magnetic, machine readable 
cards issued by different card issuing organisations. In the upper 
right corfter of the block 12, three cards designated 21, 22 and 23, 
respectively, are shown illustrating cards issued by three different 
card issuing organisations, DK, XX and YY, respectively. The DK- 
20 card designated 21 is a card belonging to the high secrecy and high 
security, on-line verification data system 40, and the XX-card desig- 
nated 22 is a card issued by a company and comprising the cash 
register 14 and the back office computer 18, The YY-card designated 
23 may be a card issued by a credit card issuing organisation such as 
25 a Diner's Club Card, a Eurocard or the like, or a card issued by a 
firm basically corresponding to the firm issuing the XX-card designa- 
ted 22. Alternatively, the YY-card designated 23 may correspond to 
the DK-card designated 21, i.e. the card 23 belongs to a high secre- 
cy and high security on-line data system, basically identical to the 
30 data system 40 shown in Fig. 3. 

The apparatus 10 is connected to the data system 40 through a box 
25 which includes a main supply section, which also supplies power to 
the apparatus 10, and a modem (modulator/demodulator). Apart from 
supplying power to the apparatus 10, the box 25 communicates with 
35 the apparatus 10 through a two-way data transmission line designated 
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26 (duplex or half-duplex transmission) . The box 25 is connected to 
the data system 40 through a data transmission line 28, such as a 
public telephone line, which is connected to a data transmission 
network 30 through an Interface, not shown on the drawing, in which 
5 the asynchronous transmission from the modem 25 and the apparatus 
TO is compiled into a synchronous duplex transmission (transmission 
protocol X21). 

In the lower part of the. left-hand side of Fig. 3, a second application 
of the apparatus la is shown within a broken line block 32. As in the 
10 first application, shown within- the broken line block 12, the appara- 
tus 10 communicates through the data transmission line 26, the box 
25, the telephone line 28, and the transmission network 30 with the 
high secrecy and high security, on-line verification, data system 40 
shown in the upper , part of the right-hand side of Fig. 3. Through a 

15 data transmission line 34, the apparatus 10 further communicates with 
the back office computer 18, which is further, through a data trans- 
mission line 36 connected to a road-side petrol pump 38. Apart from 
the DK-card 21 , the apparatus* TO is adapted to receiving a 22 card 
designated 24. The ZZ-card 24 is a card issued by the petrol compa- 

20 ny running the filling station, the road-side petrol pump 38, and the 
back office computer T 8. 

The apparatus TO, which will be described in greater detail below 
with reference to Figs. 1,4, 6 and 7, comprises a slot 42 for re- 
ceiving one of the cards 21-24, a display 44, and a numeric keyboard 
25 46 included in a security module 50 together with four control keys 
designated by the reference numeral 48. 

In the lower part of the right-hand side of Fig. 3, a third application 
of an apparatus implemented in an alternative embodiment of the 
invention is shown within a broken line block 4T. As in the above 
30 described second application shown within the broken line block 32, 
the apparatus according to the invention which is shown within a 
broken line block 49 communicates with the high secrecy and high 
security on-line verification data system 40 shown in the upper part 
of tire right-hand side of Fig. 3 through the data transmission line 
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26, the box 25, the telephone line 28 and the transmission network 
30. Through the data transmission line 36, the apparatus 49 communi- 
cates with the road-side petrol pump 38. Basically, the apparatus 49 
includes the security module 50, which communicates with the back 
5 office computer 18. The above described four control "keys designated 
by the reference numeral 48 are also included in the apparatus 49 and 
communicate with the back office computer 18. The display 44 and the 
card receiving slot 42 of a card reader also communicate with the 
back office computer 18 which afso communicates with a receipt prin- 
10 ' ter 47. The apparatus 49, which will be described in greater detail 
below with reference to Figs. 5, 6 and 7, may be housed in a road- 
side post, which may further be adapted to receive notes or bills for 
payment of the petrol purchased. It is to be mentioned that the. 
apparatus 49 shown in the lower part of the right-hand side of Fig. 3 
15 may be modified into an apparatus in which one or more of the indi- 
vidual components are located remotely. Thus, the back office compu- 
ter 18 may alternatively be a computer of the type shown in the lower 
part of left-hand side of Fig. 3. However, the concept of the present 
invention renders it possible to provide an apparatus communicating 
20* with a high secrecy and high security on-line data system and a low 
secrecy and low security data system such as a petrol company data 
system comprising the back office computer 18 in which the data read 
from the card, e.g. one of the cards 22, 23 or 24, are processed 
within the back office computer 18 prior to the presentation of the 
25 data or any offset thereof to the security module 50 in which the data 
originating from the data read from the card/ i.e. the data themselves 
or any offset thereof supplied from the back office computer 18, are 
compared to a PjN-code, which is input by means of the numeric 
keyboard 46 by the customer or the person in possession of the card 
30 in question, as will be described below. 

In the first application shown within the broken line block 12, a cash 
register operator inputs the individual prices for the individual goods 
to be purchased by the customer into the cash register 14. After 
having input all the prices into the cash register, the cash register 
35 operator makes the cash register calculate the total' sum, which is 
output through the data transmission line 20 to the back office com- 
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puter 18, and which is also output through the data transmission line 
16 to the apparatus 10, and displayed on the display 44 thereof. 
While the cash register operator is. inputting the prices into the cash 
register 14, the person in possession of a card- 21, 22 or 23 moves 
5 the magnetic card through the card receiving slot 42 of the apparatus 
10.- By this, the data stored on the card is input into the apparatus. 
From these data, a card identifying data or card identifying signal is 
derived, which identifies the card as a DK-card, an XX-card, a YY- 
card, or a card belonging to neither of these categories, which are 
10 acceptable to the apparatus 10. The customer also inputs the above 
mentioned personal: identification number (a PIN-code) into the appa- 
ratus, i.e. into the security module 50, by means of the keyboard 46. 
This PIN-code is a secret code, which is known to the customer 
exclusively, 

15 Provided that the actual card is an XX-card, i.e. a card issued by 
the company in question, the apparatus 10 carries out, as will be 
explained below, an off-line, verification of the authenticity of the 
person in possession of the card relative to the card and, conse- 
quently, relative to the firm or the data system, i.e. the back office 
20 computer 18. In case the authenticity of the customer or the person 
in possession of the XX-card 22 rs verified, the apparatus 10 outputs 
an authenticity code to the cash register 14 through the data trans- 
mission line 16 and further through the data transmission fine 20 to 
the back office computer 18, As the customer has been identified, as a 
25 legal and authorized cardholder, the sum calculated in the cash regis- 
ter 14 will now be transferred to the back office computer 18 and 
debited the customer's account. First, the customer is, however, to 
accept the sum displayed on the display 44 by activating an appro- 
priate key among the keys 48 r as will be explained below. In case the 
30 authenticity of the person in possession of the XX-card 22 is not 
verified, the apparatus 10 outputs a non-authenticity code through 
the data transmission line 16, to the cash regfster 14. In this case, 
the customer is not allowed to purchase the goods by transferring the 
sum to the back office computer 18 and registrating the sum in the 
35 account corresponding to the actual card 22. 
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In the second and third applications of the apparatus 10 and the 
apparatus 49, respectively, shown within the broken line block 32 in 
the lower left-hand side of Fig. 3 and within the broken line block 41 
in the lower right-hand side of Fig. 3, respectively, the authenticity 
5 of the person in possession of the card has to be verified relative to 
the back office computer system including the back office computer 
18, when the person employs the ZZ-card 24, or relative to the 
on-line verification data system shown in the upper right-hand side of 
Fig. 3 within the broken Irne block 40 when the person employs the 
10 DK-card 21 before the petrol pump 38 is turned on. In this off-line 
or on-line verification, a zero default value of the sum of money, cor- 
responding to the quantity of petrol to be purchased is employed. 
Provided the authenticity of the person in possession of the card has 
been verified relative to the data system corresponding to the data 
15 card, the person may purchase petrol and/or other goods, the prices 
of which are registered by means of a cash register function not 
shown on the drawing, however/ basically corresponding to the above 

cash register 14 communicating with the back office computer 18. 

» 

In case the customer employs the DK-card 21 in the applications 
20 shown within the broken line blocks 12, 32 and 41 , the data read 
from the card are presented to the security module 50 and encrypted 
therein together with the sum input to the apparatus from the cash 
register 14 and the PIN-code input by the. customer by means of the 
numeric keyboard 46 as will be explained in greater detail below, with 
25 reference to Fig. 7, and output in an encrypted state to the box 25 
and further transmitted through the public telephone line 28, the 
above mentioned data compiled, not shown on the drawing, through 
the transmission network 30 and input to the on-line verification data 
system shown in the upper part of the right-hand side of Fig. 3 
30 within the broken line block 40. 

Now turning to Fig. 7, the security module 50 of the apparatus 10 
and the apparatus 49 according to the invention is shown in the 
upper part of Fig. 7, and the broken Jine block 40 illustrates the 
high security and high secrecy, on-line verification data system, 
35 shown in the lower part of Fig. 7. Basically, Fig. 7 illustrates the 
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encryption routine carried out in the security module 50 prior to 
transmitting data therefrom to the data system 40 in which a decryp- 
tion routine for verifying the authenticity of the person in possession 
of the DK-card 21 is carried out. As mentioned above, the DK-card 
5 21 includes card identifying data and, furthermore, a personal veri- 
fication code (PVC). In a block 51, viz. the card reading means of 
the apparatus, the PVC-code and the card identifying data are pro- 
vided from the card. The person in possession of the card inputs a 
PIN-code, as mentioned above, by means of the numeric keyboard 46. 
10 The PIN-code is input to an encryption block 52, in which the PIN- 
code is encrypted by employing a first encryption keyK-p As the 
person activates the above control keys designated 48, the total sum 
B is transferred, provided the customer has already accepted the 
total sum, if not, the above mentioned zero default value of the total 
15 sum B is transferred. In a random number generator 53, a random 
number TT is generated. The random number TT, the PVC-code, 
provided from the block 51, the total sum B transferred from the 
control keys 48, and the encrypted PiN-code [PIN] K., generated in 
the block 52, is input to a second encryption 'block 54 and are en- 
20 crypted by employing a second encryption key 1^. As the security 
module 50 is a single module among a piurality of modules communica- 
ting with one and the same on-line data system, a security module 
identifying number is transmitted from the block 59 of the module 50 
in plain text together with the second encryption key version of the 
25 encrypted PIN-code [PIN] K y the total number B, the PVC-code, 
and the random number TT, i.e. [[PIN] Kj ♦ B + PVC + TT] K 2 . 

As explained above, the PVC-code, the PINrcode, the total sum B 
and the. random number TT are in an encrypted state output from the 
apparatus 10 to the box 25 and are through the public- telephone line 

30 28, through the data compiler, not shown on the drawing, and 
through the data transmission network 30 input to the high secrecy 
and high security, on-fine verification data system 40. In a first 
block 55 of the data system, the data are decrypted by employing a 
decryption key corresponding to the encryption key K^. The random 

35 number TT, the PVC-code and the total sum B are output from the 
first decryption block 55 and input to a separation block 56. In the 



25 

block 56, the PVC-code and the random number TT are separated 
from the total sum B, which is output to a block 57 for further 
transmission to account registers, etc, while the PVC-code and a 
random number TT are input to a further separation block 58, in 
5 which the PVC-code and the random number TT are separated from 
one another. The PIN-code is provided from the block 55 in an en- 
crypted state and input to a second decryption block 59, in which the 
encrypted PIN-code is decrypted by employing a decryption key, 
corresponding to the encryption key Ky The plain text PIN-code is 
TO ' input to a block 60, in which the PIN-code and the PVC-code are 
combined. As the PVC-code includes a DES (data encryption stan- 
dard) encryption of the PIN-code, the actual combination of the codes 
is carried out by employing a DES routine. From the block 60, a 
PVCV-code is output to a block 81, in which the PVCV-code is com- 
15 pared to PVCV-codes of a file 62, in which PVCV-codes corresponding 
to authorized or legal cards are stored. Provided the PVCV-code is 
contained in the PVCV-code file 62, a yes' is output to a gate 63, 
which retransmits the random number TT to the module 50 as the 
♦authenticity code verifying the authenticity of the person in posses- 
20 sion of the card relative to the card and relative to the on-line veri- 
fication data system 40, i.e. as a tegal and authorized cardholder, 
Provided the PVCV-code output from the block 60 is not contained in 
the PVCV-code file 62, the comparison block 61 outputs a 'no 1 to a 
gate 64, which outputs a non-authenticity code. The code, i.e. the 
25 authenticity code or non-authenticity code transmitted from the data 
system 40 is compared to the random number TT generated by the 
random number generator 53 in a comparator block 77 of the security 
module 50. The result of the comparison in the comparator block 77 is 
output to an output terminal 78 which is further connected to the 
30 display 44 of the apparatus 10 through an appropriate interface. 

Now returning to Fig. 3, the upper part of the right-hand side 
thereof is a flow-diagram illustrating the above on-line verification of 
the data system 40. As the data system 40 communicates with a great 
number of terminals or apparatuses corresponding to the apparatus 10 
35 and the apparatus 49, the first decryption block 55 further communi- 
cates with a key file 65 including the individual keys corresponding 
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to the individual incryption keys of the individual apparatuses* In 
Fig. 3, the gates 63 and 64, also shown in Fig. 7, are included in an 
output block 66, the output of which is connected to the data trans- 
mission network 30 for supplying the authenticity or the non-au- 
5 thentrcity code to the apparatus TO, and which receives a 'yes' or 'no' 
from the comparison block 61, together with the random number TT 
derived from the separation block 56. A further output block 67 is 
included in Fig. 3, which includes the block 57 shown in Fig.. 7 and 
further receives a 'yes' or 'no* from the comparison block 61, The 
TO output block 67 communicates with individual external blocks 68, 69, 
or 70. Each of the blocks 68-70 may be a bank computer system, 
which is addressed from the output block 67. Alternatively, one of 
the blocks may be a computer system owned by a credit card issuing 
organisation such as the organisation issuing the YY-card 23. Thus, 
15 the YY-card is a subsidiary of the high secrecy and high security, 
on-line data system 40, which actually carries out the verification of 
the authenticity of the person in possession of the YY-card 23 rela- 
tive to the card, and, consequently, relative to the credit card 
issuing organisation. 

20 In Fig* 4, a general, schematfcal view of the apparatus 10 according 
to the invention is shown. The apparatus 10 is housed in a solid line 
block 72. Within the block 72, the above mentioned security module 
housing 50 is arranged. In Fig. 4, the above card receiving slot 42 is 
shown, and a magnetic head assembly 43 is arranged close to the slot 

25 so that the magnetic head assembly is brought into close contact with 
the magnetic strip of the card, i.e. one of the cards 21-24, when the 
card is moved through the slot 42. The magnetic 'head assembly 43 
outputs signals, to a first microprocessor 73, which controls the ex- 
ternal functions of the apparatus as will be evident from the descrip- 

30 tion below. 

The first microprocessor 73 is further connected to the display 44 
which serves the purpose of disclosing the total sum received from 
the cash register 14 or from the back office computer 18, and of 
disclosing the result of the off-line verification, or alternatively, the 
35 on-line verification of the authenticity of the person in possession of 
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the card relative to the card and, consequently/ relative to the 
off-line data system and the on-line data system, respectively. The 
first microprocessor 73 is further connected to and communicates with 
a first and a second output/input means 74 and 75, respectively, 
5 communicating with the on-line and the off-line data systems, respec- 
tively, i.e. the data system 40 and the back office computer 18 or the 
cash register 14, respectively. 

Centrally within the security module 50, a second microprocessor 76 is 
arranged, which communicates with the first microprocessor 73 
10 through an interface 79, Within the security module 50, a circuit 80 
includes the DES encryption algorithm- Furthermore, the second 
microprocessor 76 communicates with the above described random 
number generator 53, with a PROM (programmably read only memory) 
82 including the on-line encryption programme, which has been dis- 
15 cussed above with reference to Fig. 7, and a RAM (random access 
memory) 83, in which the PVC-code read from the data carrying 
card, i.e. one of the cards 21-24, by means of the magnetic head 
assembly 43 and the first microprocessor 73 is temporarily stored 
together with the PIN-code input by the customer by means of the 
20 - numeric keyboard 46, the random number TT generated by the ran- 
dom number generator 53, and the total sum B input from the cash 
register 14 or from the back office computer 18 through the second 
input/output means 75. The security modules 50 further comprises a 
key store or RAM 84 in which the encryption key, involved rn the 
25 encryption of the PVC-code, a PIN-code, the total sum B and the 
random number TT, as explained above with reference to Fig. 7, for 
transmission to the high secrecy and high security on-line verification 
data system 40 is stored. Furthermore, two PROMs 85 and 86 are 
included, storing the verification algorithm for off-line verification of 
30 the authenticity of the person in possession of the corresponding card 
relative to the card, e.g. the XX-card 22 or the ZZ-card 24, shown 
in Fig. 3. The RAMs 83 and 84, which are actually volatile RAMs are 
powered from an external power supply and further backed up by a 
battery supply 87. Thus, in case the external power supply is dis- 
35 connected from the apparatus, the volatile RAMs of the apparatus are 
supplied from the back-up battery supply 87. However, the back-up 
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battery supply 87 is further adapted to erase the RAMs 83 and 84 in 
case a person tries to intrude into the security module 50, and pre- 
ferably, through mechanical vibration or shock sensors or light de- 
tectors connected to the entire circuitry of the security module so 
5 that the circuitry is destroyed by applying overvoltage of voltage of 
incorrect polarity thereto, in case an intrusion is attempted. 

In Fig. 5, a general, schematical view of the apparatus 49 according 
to the invention is shown. Basically, the apparatus 49 comprises the 
above described security module 50 including the keyboad 46, the 
10 keys designated by the reference numeral 48, the first microprocessor 
73 which communicates with the high secrecy and the high security 
on-line data system through the output/input means 74 and further 
communicates with the back office computer 18 which is also address- 
able from the above four keys designated by the reference numeral 
15 48. The back office computer 18 further communicates with the dis- 
play 44, the magnetic head assembly 43 and the receipt printer 47. 
Whereas in Fig. 4, the data which are read from a card are input 
directly to the first microprocessor 73, the data are first processed in 
the back office computer 18 in the apparatus 49 shown in Fig. 5. In 
20 case the card is identified by the back office computer 18 as a card 
belonging' to the first data system, the back office computer 18 may 
process,, e.g. offset the data_ read from the card and present a pro- 
cessed or offset version of the data to the first microprocessor 73 and 
further to the security module 50. Alternatively, in case the back 
25 office computer 18 does not identify the card as a card belonging to 
the data system itself, i.e. the data system including the back office 
computer 18, the data which are read from the card are further 
transferred to the microprocessor 73 and input to the security module 
50. 

30 The apparatuses 10 and 49 and the security module 50 thereof func- 
tion in the following manner. As mentioned above, the data read from 
the card by means of the magnetic head assembly 43 identify the card 
as a card belonging to the first data system, i.e. belonging to the 
high secrecy and high security on-line verification data system 40, as 

35 a card belonging to the back office computer system 18, or as a card 
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belonging to neither of the two data systems. Provided the card has 
been identified by the first microprocessor 73 or by the back office 
computer 18 as a card belonging to the second data system, the data 
or the above mentioned offset or processed version thereof are input 
5 to the security module 50 from the first microprocessor 73 through 
the interface 79, further input into the second microprocessor 76, and 
temporarily stored in the RAM. As explained above, the person in 
possession of the card is invited to input the PIN-code by means of 
the numeric keyboard 46, and the PIN-code is output from the nume- 
10 ric keyboard 46 to the second microprocessor 76, and further tempo- 
rarily stored in the RAM 83. As the first microprocessor 73 has 
identified the card as a card belonging to the off-line data system 18, 
the second microprocessor 76 addresses the PROM 85 and carries out 
an algorithmic comparison of the PIN code and the data stored in the 
15 RAM 83 controlled by the programme stored in the PROM 85 and by 
employing, if desired, the DES encryption algorithm stored in the 
store 80. The result of the comparison or the authenticity verification 
is either a y es ' or 'no 1 , which is output from the second micropro- 
cessor 76 to the interface 79 and input to the first microprocessor 73, 
20 which outputs a authenticity or non-authenticity code to the second 
input/output means 75 to the off-line verification data system shown 
in Fig. 4 or to the back office computer 18 shown in Fig. 5 and also 
or further to the display 44 for displaying the result to the person in 
possession of the card. 

25 Provided the card is identified as a card belonging to the high secre- 
cy and high security data system, i.e. the on-line verification data 
system 40, the microprocessor 76 addresses the random number gene- 
rator 53, which outputs a randomly generated number TT to the 
microprocessor the randomly generated number TT further being 
30 temporarily stored in the RAM 83. In case a number representing the 
total sum B for the goods etc. to be purchased by the person in 
possession of the card is input through the second input/output 
means 75 and further transmitted through the first microprocessor 73 
to the interface 79 and output therefrom to the second microprocessor 
35 76 and input to the RAM 83 and stored therein, the PIN-code, the 
PVC-code, the random number TT and the total sum B are encrypted 
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by the second microprocessor 76, as explained above with reference 
to Fig. 4, by employing the DES encryption algorithm stored in the 
store 80 and the key stored in the key store 84 controlled by the 
encryption programme of the PROM 82- .The result of the encryption 
5 process is output from the second microprocessor 76 through the 
interface 79 to the first microprocessor 73 and transmitted therefrom 
through the first input/output means 74 to the high secrecy and high 
security on-line verification data system 40, in which the verification 
of the PIN-code relative to the data is carried out as explained above 
TO with reference to Fig. 7. From the on-line verification data system 
40, the first input/output means 74 receives the result of the authen- 
ticity verification, either the random number TT representing the 
authenticity code or a non-authenticity code, which is transmitted by 
the first microprocessor 73 to the interface 79 of the security module 
15 50 and further into the second microprocessor 76. In the second 
microprocessor 76, the result, i.e. the authenticity code or the non- 
authenticity code is compared with the random number TT stored in 
the RAM 83. In case the result of the on-line authenticity verification 
is the authenticity code, i.e. the random number TT-has been re- 
20 transmitted from the data system 40 to the apparatus 10, the second 
microprocessor 76 addresses, through the interface 79, the first 
microprocessor 73 which further displays the result/ he* the authori- 
zation, on the display 44, as shown in Fig. 4, or supplies the result 
to the back office computer 18, as shown in Fig. 5, which further 
25 displays the result on the display 44. In case a non -authenticity code 
has been transmitted from the data system 40 to the apparatus 10, 
the second microprocessor 76 reveals, by comparing the code with the 
random number TT, stored in the RAM 83, that the authenticity 
verification has resulted in. a non-authorization of the person in 
30 possession of the card relative to the card. Consequently, the second 
microprocessor 76 addresses the first microprocessor 73 through the 
interface 79, and the first microprocessor 73 displays the result, i.e. 
the non-authorization on a display 44, as shown in Fig. 4, or sup- 
plies the result to the back office computer 18, as shown in Fig. 5, 
35 which further displays the result on the display 44. 
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When the first microprocessor 73 provides a displaying of the result 
of the on-line authenticity verification on a display 44 controlled by 
the second microprocessor 76 as shown in Fig. 4, or controlled by the 
back office computer 18, as shown in Fig. 5, the first microprocessor 
5 73 further outputs a respective authenticity or non-authenticity code 
to the off-line data system, through the second input/output means 75 
or through the data transmission line 36, respectively. 

It is emphasized that the concept of the present invention renders it 
impossible to control the apparatus into a mode in which PIN-code is 
10 inadvertently or erroneously disclosed in plain text, as the PIN-code 
is output from the security module 50 in a high secrecy and high 
security encrypted mode to the high secrecy and high security data 
system exclusively. 

The above mentioned control keys 48, which are shown in Figs. 4 and v 
15 5, are designated B, C, CE and AC, respectively. The customer may 
operate the keys C, CE and AC after having moved his card through 
the card receiving slot 42. The keys designated CE (abbreviation: 
'clear entry') renders it possible for the customer to clear a single 
digit of the PIN-code while inputting the PIN-code by means of the 
20 mode keyboard 46. The key designated C (abbreviation: clear') ren- 
ders it possible for the customer to clear the PIN-code and any other 
data temporarily stored in the apparatus, i.e. the data read from the 
data carrying card, and also the random number generated by the 
random number generator. The key designated AC (abbreviation: 
25 accept') is activated by the customer prior to the verification of the 
customer as the legal cardholder, either on-line or off-line relative to 
the data system 40 or the back office computer 18, respectively, and 
after the total sum has been displayed to the customer on the display 
44. By activating the key designated AC, the cardholder accepts the 
30 total sum displayed on the display 44 to be debited his account after 
the authorization of the cardholder, either in the bank registers 68, 
69 or 70, shown in Fig. 3, or the account in the back office computer 
18, shown in Fig. 3. The key designated B (abbreviation: 'balance') 
may be activated by a person, e.g. the cash register operator or a 
35 person in charge of the firm of filling station, in posssion of a ba- 
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lance card after having moved the bafance card through the card 
receiving slot 42 by which the data registered on the balance card 
are read by the magnetic head assembly 43 and input to the second 
microprocessor 76 through the first microprocessor 73 and the inter- 
5 face 79, whereupon the apparatus is put into a mode in which the 
accumulated sums representing the total amount registered by the 
apparatus and stored within the RAM 83 are output therefrom and 
output through the microprocessor 76, the interface 79, the micropro- 
cessor 73, and the second input/output means 75 to the back office 
10 computer system 18. 

in Fig. 1, an overall perspective view of the presently preferred 
embodiment of the apparatus TO according to the invention is shown. 
The apparatus 10 is housed within an outer housing 8 which encases 
and supports the security module 50. In Fig. 1, the keyboard 46 of 

15 the security module 50 is shown together with the four keys designa- 
ted 48. It is to be mentioned, as is evident from Figs. 4 and 5, that 
it is not mandatory to the proper functioning of the apparatus that 
the keys designated by the reference numeral 48 are arranged within 
the security module 50, since the functions defined by these four 

20 keys under no circumstances influence the non-transparency, high 
secrecy and high security concept of the present invention. As is 
evident from Fig. 1, the apparatus 10 comprises an outer housing 
part 9 which constitutes a shielding means which provides privacy to 
the customer who operates the keys of the keyboard 46. 

!5 In Fig. 2, an apparatus is shown designated the reference numeral 
114 in its entity. The apparatus 114 is an amount register apparatus 
communicating with the apparatus shown in Fig. 1. The amount re- 
gister apparatus 114 basically constitutes an apparatus corresponding 
to the cash register 14 shown in the upper part of the left-hand side 

0 of . Fig. 3 within the broken line block 12. The amount register appa- 
ratus 14 is housed within a "housing 145 and comprises a display 144, 
a numeric keyboard 146, function keys 148 and a receipt printer 147. 
The housing 145 comprises a printer paper reservoir constituted by a 
housing part 143. 
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In Figs. 1 and 2, the control keys 48 and 148, respectively, are 
designated Danish abbreviations. Thus, the keys 48 are designated A 
(DK) abbreviation for afstem = (GB) balance, slet alt (DK) = (GB) 
clear all, slet (DK) = (GB) clear entry and godkend (DK) = (GB) 
5 accept. The keys 148 are designated retur (DK) = (GB), slet alt 
(DK) = (GB) clear all, slet (DK) = (GB) clear entry and ind (DK) = 
(GB) amount to be paid. 

In Fig. 6, a vertical sectional view through an embodiment of the 
security module 50 is shown, comprising two radiopaque, tamper- and 
10 tappingproof housing parts 90 and 91. The housing parts 90 and 91 
are preferably made of high-strength stainless steel plate and have 
identifications etched, engraved or otherwise provided thereon. The 
two parts 90 and 91 are along their rims totally sealed to one another 
by means of a sealing part 92, which is welded to the housing parts 
15 90 and 91, as indicated at 93 and 94, respectively. In a down-turned 
central recess of the housing part 90, which constitutes the top 
housing part of the security module 50, . the keyboard 46 and the 
control keys 48, shown in Figs 1, 3, 4, and 5 are arranged on a 
supporting printed -circuit board 95. Individual contact terminals 96 
20 and 97 arranged on the top surface of the printed circuit board 95 
are adapted to be short-circuited by means of a short-circuiting 
component 98 by depressing a corresponding key 99. The short-cir- 
cuiting components, e.g. the short-circuiting component 98, coopera- 
ting with the terminals 96 and 97 are cast into an elastic, air- and^ 
25 fluid-tight supporting film 100. Within the interiour space defined 
within the two housing parts 90 and 91, a radiopaque component, 
such as a plate made of lead, is arranged. On top of the plate 101, 
however, in insulated relationship therewith, a second printed circuit 
board is arranged. The printed circuit board 102 supports electronic 
30 components/ such as electronic components 103-107, implementing the 
embodiment of the security module shown diagrammatically in Figs. 1, 
3, 4, 5 and 7. The individual track of the printed circuit board 102 
are through soldered joints, such as a soldered joint 108, connected 
to respective tracks of the printed circuit board 95 communicating 
35 with respective terminals, e.g. the terminals 96 and 97, thereof. In 
the left-hand side of Fig. 6, the printed circuit board 102 is confined 
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between the housing parts 91 and 92 and led through an aperture of 
the sealing part 92 as indicated by the reference numeral 109. The 
lead-through connection of the- printed circuit board 102 serves the 
purpose of connecting the security module 50 to the remaining compo- 
5 nents of the apparatus 10, i.e. to supply power to the electronic 
components thereof, e.g. the electronic components, and of providing 
access to and from the interface 79, shown in Fig. 4, of the security 
module 50. The interiour space defined within the housing parts 90 
and 91 and between the printed circuit boards 95 and T02 and the 
10 ■ radiopaque component or plate 101 is fiiled with a casting 110 of a 
high-strength epoxy resin, which secures the circuit boards and the 
radiopaque component and further includes metallic strips or wires. 
The metallic strips or wires contained within the epbxy resin casting 
110 serves the purpose of ruining the electronic circuit and erasing 
15 the data and the key of the RAMs 83 and 84 as described above in 
case it is attempted to open the- security module 50 by mechanical 
means. The stainless steel housing comprises the housing parts 90 
and 91, the plate 101, and the metallic strips and wires contained in 
the casting 110 provides a module which further eliminates the possi- 
20 bility of revealing details of the apparatus regarding the construction 
or the functions thereof by exposing the apparatus to radiomagnetic 
radiation, especially X-rays or by tapping the module by means of 
highly sensitive electronic listening equipment, as the module is a 
magnetically and electrically shielded and radiopaque module. 

25 The electronic implementation of the apparatus according to the inven- 
tion may be realized in several ways obvious to a worker skilled in 
the art, as the electronic components such as the microprocessors 73 
and 76, the PROMs 82, 85 and 86, the RAMS 83 and 84, the random 
number generator 53, the DES circuit 80, very easily may be pur- 

10 chased from a great number of manufacturers. The programming of 
the PROMs and of the microprocessor means may also very easily be 
carried out by the worker skilled in the art. 
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EXAMPLE 

In a design draft implementation or embodiment of the apparatus dis- 
cussed above the microprocessors 73 and 76 were constituted by 
electronic circuits of the type 8080 supplied from the company I ntel 
5 Corporation, the PROMs 82, 85 and 86 were constituted by electronic 
circuits of the type HN 462716 G supplied from the company Hitachi, 
the RAMs 83 and 84 were constituted by electronic circuits of the 
type 2114 L-2 supplied from the company Signetics, the random num- 
ber generator 53 was provided as software within the microprocessor 
10 76, the interface .79 was constituted by an electronic circuit of the 
type Z-80A SIO/2 supplied from the company Zilog, and the battery 
or back-up power supply 87 was constituted by a lithium battery 
package. The DES encryption circuit 80 was constituted by a 8294 
data encryption unit supplied from the company Intel Corporation. 

15 Although the invention has been described above with reference to 
the drawing, the invention is not limited to the embodiments shown 
thereon. .Thus, although the invention has been described in an 
embodiment in which the encryption is carried out by means of a DES 
algorithm, any other high secrecy and high security guaranteeing 
20 encrypting algorithm may be employed, e.g. a public key algorithm. 
Furthermore, the off-line verification may be carried out by employing 
or by not employing encryption of the data and the code to be com- 
pared. Furthermore, the data read from the card or originating from 
the data read from the card may be verified in relation to the PIN- 
25 code input by means of the keyboard of the security module in plain 
text, i.e. directly, by employing the verification algorithm stored in 
the PROMs or, as mentioned above, in any processed or offset ver- 
sion of the data read from the card. Furthermore, the security mo- 
dule shown in Fig. 4, may be modified in that several input/output 
30 means corresponding to the input/output means designated 74 and 75 
may be provided communicating with respective high secrecy and high 
security on-line, verification data systems and low secrecy and low 
security, off-line verification data systems. In this realization of the 
invention, the coherent set of PIN-code and PVC-code is output to 
35 the high secrecy and high security data systems exclusively in a high 
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secrecy and high security encrypted state controlled by respective 
high secrecy and high security encryption algorithms, keys and 
programmes, while an authenticity or a non -authenticity code is 

output to the low secrecy and low security data systems exclusively, 
5 and the PIN-code input by means of the keyboard or a coherent set 

of data read from or originating from the data read from the card and 

the PIN-code are under no circumstances disclosed to the low secrecy 

and low security data systems. 
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CLAIMS 

1. An apparatus communicating with at least two different data sy- 
stems, for receiving data originating from data read from a data 
carrying card, for receiving a card identifying signal positively 
5 identifying the card as a card belonging to a first data system, or 
alternatively, as a card belonging to a second data system, and for 
transmitting the data originating from the data read from the card to 
a first of said data systems, or alternatively, for verifying the au- 
thenticity of a person in possession of the card relative to a second 
10 of said data systems, comprising: 

a data input means for receiving the data originating from the 
data read from the card and for receiving the card identifying signal, 

an input means for input of a personal authentication code, 

a first storage means for storing a first encryption algorithm and 
15 a transmission protocol, 

a second storage means for storing a verification algorithm, : 

an encryption means, controlled by the data input means and the 
first storage means, for encryption of the data and the code, so that, 
provided the card is identified as a card belonging to the first data 
20 system, the data originating from the data read from the card and the 
code are encrypted by employing the first encryption algorithm stored 
in the first storage means, and are output to the first data system 
controlled by the transmission protocol stored in the first storage 
means, and 

25 a comparator means, controlled by the data input means and the 

second storage means, for comparing the data originating from the 
data read from the card and the code, so that, provided the card is 
identified as a card belonging to the second data system, an authenti- 
city code is supplied to the second data system in case the data 

30 originating from the data read from the card are verified in relation 
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to the code by employing the verification algorithm stored in the 
second storage means, or alternatively, a non-authenticity code is 
supplied to the second data system in case the data originating from 
the data: read from the card are not verified in relation to the code 
5 by employing the verification algorithm stared in the second storage 
means. 

2. The apparatus according to claim 1, and comprising a further 
encryption means, a second encryption afgorithm further being stored 
in the second storage means, and the further encryption means being 

TO controlled by the data input means and the second storage means, so 
that, provided the card is identified as a card belonging to the 
second data system, the data originating from the data read from the 
card and the code are encrypted in the further encryption means by 
employing the second encryption algorithm stored in the second sto- 

15 rage means prior to the comparison of the data and the code in the 
comparator means. 

3, The apparatus according, to claim 1 or 2 and communicating with 
three or more data systems, and further comprising a third storage 
means for storing a further verification afgorithm, the card identify- 

20 ing signal further positively identifying the card as a card belonging 
to one of said three or more data systems, and the comparator means 
further being controlled by the data input means and the third sto- 
rage means, for comparing the data originating from the data read 
from the card, so that, provided the card is identified as a card 

25 belonging to the third data system, an authenticity code is supplied 
to the third data system in case the data originating from the data 
read from the card are verified in relation to the code by employing 
the verification algorithm . stored in the third storage means, or alter- 
natively, a non -authenticity code is supplied to the third data system 
30 in case the data originating from the data read from the card are not 
verified in relation to the code by employing the verification algorithm 
stored in the third storage means. 

4. The apparatus according to claims 2 and 3, and comprising a still 
further encryption means, a third encryption algorithm further being 
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stored in the third storage means/ the still further encryption means 
being controlled by the data input means and the third storage 
means, so that, provided the card is identified as a card belonging to 
the third data system, the data originating from the data read from 
5 the card and the code are encrypted in the still further encryption 
means by employing the second encryption algorithm stored in the 
second storage means prior to the comparison of the data and the 
code in the comparator means, 

5. The apparatus according to claim 2 or 4, the encryption means 
10 being constituted by a single encryption means. 

6. An apparatus communicating with at least two different data sy- 
stems, for receiving data originating from data read from a data 
carrying card, for receiving a card identifying signal positively 
identifying the card as a card belonging to a first data system, or 

15 alternatively, as a card belonging to a second data system, and for 
transmitting the data originating from the data read from the card to 
a first of said dfcta systems, or alternatively, to a second of said data 
systems, comprising: 

a data input means for receiving the data originating from the 
20 data read from the card and for receiving the card identifying signal, 

an input means for input of a personal authentication code, 

a first storage means for storing a first encryption algorithm and 
a first transmission protocol, 

i 

a second storage means for storing a second encryption algorithm 
25 and a second transmission protocol, 

an encryption means for encryption of the data originating from 
the data read from the card and the code, the encryption being 
controlled by the data input means and a respective of the first and 
second storage means, so that, provided the card is identified as a 
30 card belonging to the first data system, the data originating from the 
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data read from the card and the code are encrypted by employing the 
first encryption algorithm stored in the first storage means, and are 
output to the first data system controlled by the first transmission 
protocol stored in the first storage means, or alternatively, provided 
5 the card is identified as a card belonging to the second data system, 
the data originating from the data read from the card and the code 
are encrypted by employing the second encryption algorithm stored in 
the second storage means, and are output to the second data system 
controlled by the second transmission protocol stored in the second 
10 storage means. 

1. The apparatus according to claim 6, and comprising a further 
encryption means, a first of said encryption means being controlled 
by the data input means and the first storage means, so that, provi- 
ded the card is identified as a card belonging to the first data sy- 

15 stem, the data originating from the data read from the card and the 
code are encrypted in the said first encryption means, and a second 
of said encryption means being controlled by the data input means 
and the second storage means, so that, provided the card is identi- 
fied as a card belonging to the second data system, the data origina- 

20 ting from the data read from the card and the code are encrypted in 
the said second encryption means. 

8. The apparatus according to claim 6 and communicating with three 
or more data systems, and further comprising a third storage means 
for storing a third encryption algorithm and a third transmission 

25 protocol, the card identifying signal further positively identifying the 
card as a card belonging to one of said three or more data systems, 
and the .encryption means further being controlled by the third sto- 
rage means, so that, provided the card is identified as a card belong- 
ing to the third data system, the data originating from the data read 

30 from the card and the code are encrypted by employing the third 
encryption algorithm stored in the third storage means, and are 
output to the third data system controlled by the third transmission 
protocol stored in the third storage means. 
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9. The apparatus according to claims 7 and 8 and comprising a third 
encryption means, the third encryption means being controlled by the 
data input means and the third storage means, so that provided the 
card is identified as a card belonging to the third data system, the 

5 data originating from the data read from the card and the code are 
encrypted in the third encryption means. 

10. The apparatus according to claim 6 or 7 and communicating with 
three or more data systems, and further comprising a third storage 
means for storing a verification algorithm, and a comparator means, 

10 the card identifying signal further positively identifying the card as a 
card belonging to one of the three or more data systems, and the 
comparator means being controlled by the data input means and, the 
third storage means, for comparing the data originating from the data 
read from the card and the code, so that, provided the card is 

15 identified as a card belonging to the third data system an authenticity 
code is supplied to the third data system in case the data originating 
from the data read from the card are verified in relation to the code 
by employing the verification algorithm stored in the third storage 
means, or alternatively, a non-authenticity code is supplied to the 

20 third data system in case the data originating from the data read from 
the card are not verified in relation to the code by employing the 
verification algorithm stored in the third storage means. 

11. The apparatus according to claims 7 and 10, and- comprising a 
third encryption means, a third encryption algorithm further being 

25 stored in the third storage means, the third encryption means being 
controlled by the data input means and the third storage means, so 
that, provided the card is identified as a card belonging to the third 
data system, the data originating from the data read from the card 
and the code are encrypted in the third encryption means by employ- 

30 ing the third encryption algorithm stored in the third storage means 
prior to the comparison of the data and the code in the comparator 
means. 

12. The apparatus according to any of the preceding claims, further 
comprising an identifying means for receiving the data originating 
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from the data read from the data carrying card, and for generating 
the card identifying signal positively identifying the card as a card 
belonging to a respective of the data systems or as a card belonging 
to neither of the data systems. 

5 13, The apparatus according to claim 12 and further comprising a 
reading means for reading the data from the data carrying card. 

14. The apparatus according to any of the preceding claims and fur- 
ther comprising a temporary storage means for temporarily storing the 
data read from the card and the personal authentication code. 

10 15. The apparatus according to claim 14 and further comprising a 
data receiving means for receiving data from the data systems. 

16. The apparatus according to claim 15, and further comprising a 
random number generator means, a random number generated by the 
random number generator means being stored in the temporary sto- 

T5 rage means and input to the encryption means together with the data 
to be encrypted therein and further being output to the said first 
data system together with the data output thereto. 

17. The apparatus according to claim 16 and comprising a further 
comparator means for comparing the data transmitted thereto from the 

20 said first data system and the random number stored in the temporary 
storage means. 

18. The apparatus according to any of the claims 1-5 and 14-17, and 
further comprising a radiopaque, tamper- and tappingproof housing 
enclosing at least the data input means, the input means, the storage 

25 means, the encryption meanis, the comparator means, the temporary 
storage means, the further comparator means, and the random number 
generator means. 

T9. The apparatus according to any of the claims 6-11 and 14-17, and 
further comprising a radiopaque, tamper- and tappingproof housing 
30 enclosing at least the data input means, the input means, the storage 



¥0 85/04742 



43 



PCT/DK85/00032 



means, the encryption means, the temporary storage means, the 
further comparator means, and the random number generator means. 

20. The apparatus according to any of the preceding claims, wherein 
the encryption means are adapted to carry out a DES encryption, and 

5 wherein the respective storage means comprise a respective DES 
encryption key. 

21. The apparatus according to any of the preceding claims, and 
comprising a further input means for receiving a number indicating a 
sum of money, the number being input to the encryption means to- 

10 gether with the data to be encrypted therein, and being output to 
the respective data system together with the data output thereto. 

22. A method of communicating with at least two different data sy- 
stems, of receiving data originating from data read from a data carry- 
ing card and of transmitting the data originating from the data read 

15 from the card to a first of said data systems, or alternatively, of 
verifying the! authenticity of a* person in possession of the card 
relative to a second of said data systems, comprising: 

receiving the data originating from the data read from the card, 

identifying the card on the basis of the data received from the 
20 reading means, as a card belonging to the first data system, as a 
card belonging to the second data system, or as a card belonging to 
neither of the data systems, 

inputting a personal authentication code, 

encrypting the data originating from the data read from the card 
25 and the code, provided the card is identified as a card belonging to 
the first data system, the data originating from the data read from 
the card and the code being encrypted by employing an encryption 
algorithm, and being output to the first data system controlled by a 
transmission protocol, and 
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comparing the data originating from the data read from the card 
and the code, provided the card is identified as a card belonging to 
the second data system, an authenticity code being supplied to the 
second data system in case the data originating from the data read 
5 from the card are verified in relation to the code by employing a 
verification algorithm, or alternatively, a non-authenticity code being 
supplied to the second data system in case the data originating from 
the data read from the card are not verified in relation to the code 
by employing the verification algorithm. 

TO 23, A method of communicating with at least two different data sy- 
stems, of receiving data originating from data read from a data carry- 
ing card and of transmitting the data originating from the data read 
from the card to a first of said data systems, or alternatively, of 
transmitting the data to a second of said data systems, comprising: 

T5 receiving the data originating from the data read from the card, 

identifying the carcf on the basis of the* data received from the 
reading means, as a card belonging to the first data system, as a 
card belonging to the second data system, or as a card belonging to 
neither of the data systems, 

20 inputting a personal authentication code, and 

encrypting the data originating from the data read from the card 
and the code, so that, provided the card is identified as a card 
belonging to the first data system, the data originating from the data 
read from the card and the code, are encrypted by employing a first 

25 encryption algorithm, and are output to the first data system con- 
trolled by a first transmission protocol, or alternatively, so that, 
provided the card is identified as a card belonging to the second data 
system, the data originating from the data read from the card and the 
code are encrypted by employing a second encryption algorithm, and 

30 are output to the second data system controlled by a second trans- 
mission protocol. 
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24. The method according to claim 22 or 23, further comprising: 
reading the data from the card. 

25. The method according to any of the claims 22-24 further compri- 
sing any of the characteristics of the claims 1-21 . 
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